{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-0939", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-01-14T14:06:31.783Z", "datePublished": "2026-01-16T06:43:20.971Z", "dateUpdated": "2026-04-08T17:00:41.932Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:00:41.932Z"}, "affected": [{"vendor": "linknacional", "product": "Rede Ita\u00fa for WooCommerce \u2014 Payment PIX, Credit Card and Debit", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "5.1.2", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Rede Ita\u00fa for WooCommerce plugin for WordPress is vulnerable to order status manipulation due to insufficient verification of data authenticity in all versions up to, and including, 5.1.2. This is due to the plugin failing to verify the authenticity of payment callbacks. This makes it possible for unauthenticated attackers to manipulate WooCommerce order statuses, either marking unpaid orders as paid, or failed."}], "title": "Rede Ita\u00fa for WooCommerce \u2014 Payment PIX, Credit Card and Debit <= 5.1.2 - Unauthenticated Order Status Manipulation", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/722c666b-913f-4289-82e6-30aa0a3abc2b?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/woo-rede/tags/5.1.2/Includes/LknIntegrationRedeForWoocommerceWcEndpoint.php#L45"}, {"url": "https://plugins.trac.wordpress.org/browser/woo-rede/tags/5.1.2/Includes/LknIntegrationRedeForWoocommerceWcEndpoint.php#L460"}, {"url": "https://plugins.trac.wordpress.org/browser/woo-rede/tags/5.1.2/Includes/LknIntegrationRedeForWoocommerceWcEndpoint.php#L710"}, {"url": "https://plugins.trac.wordpress.org/changeset/3441046/woo-rede/tags/5.1.3/Includes/LknIntegrationRedeForWoocommerceWcEndpoint.php"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-345 Insufficient Verification of Data Authenticity", "cweId": "CWE-345", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Osvaldo Noe Gonzalez Del Rio"}], "timeline": [{"time": "2026-01-01T00:00:00.000Z", "lang": "en", "value": "Discovered"}, {"time": "2026-01-15T18:31:03.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-16T13:57:15.216409Z", "id": "CVE-2026-0939", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-16T13:57:52.515Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-0939", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-16T13:57:15.216409Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-16T13:57:47.874Z"}}], "cna": {"title": "Rede Ita\u00fa for WooCommerce \u2014 Payment PIX, Credit Card and Debit <= 5.1.2 - Unauthenticated Order Status Manipulation", "credits": [{"lang": "en", "type": "finder", "value": "Osvaldo Noe Gonzalez Del Rio"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "linknacional", "product": "Rede Ita\u00fa for WooCommerce \u2014 Payment PIX, Credit Card and Debit", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "5.1.2"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-01-01T00:00:00.000Z", "value": "Discovered"}, {"lang": "en", "time": "2026-01-15T18:31:03.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/722c666b-913f-4289-82e6-30aa0a3abc2b?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/woo-rede/tags/5.1.2/Includes/LknIntegrationRedeForWoocommerceWcEndpoint.php#L45"}, {"url": "https://plugins.trac.wordpress.org/browser/woo-rede/tags/5.1.2/Includes/LknIntegrationRedeForWoocommerceWcEndpoint.php#L460"}, {"url": "https://plugins.trac.wordpress.org/browser/woo-rede/tags/5.1.2/Includes/LknIntegrationRedeForWoocommerceWcEndpoint.php#L710"}, {"url": "https://plugins.trac.wordpress.org/changeset/3441046/woo-rede/tags/5.1.3/Includes/LknIntegrationRedeForWoocommerceWcEndpoint.php"}], "descriptions": [{"lang": "en", "value": "The Rede Ita\u00fa for WooCommerce plugin for WordPress is vulnerable to order status manipulation due to insufficient verification of data authenticity in all versions up to, and including, 5.1.2. This is due to the plugin failing to verify the authenticity of payment callbacks. This makes it possible for unauthenticated attackers to manipulate WooCommerce order statuses, either marking unpaid orders as paid, or failed."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-345", "description": "CWE-345 Insufficient Verification of Data Authenticity"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:00:41.932Z"}}}, "cveMetadata": {"cveId": "CVE-2026-0939", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:00:41.932Z", "dateReserved": "2026-01-14T14:06:31.783Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-01-16T06:43:20.971Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Rede Ita\u00fa for WooCommerce plugin for WordPress is vulnerable to order status manipulation due to insufficient verification of data authenticity in all versions up to, and including, 5.1.2. This is due to the plugin failing to verify the authenticity of payment callbacks. This makes it possible for unauthenticated attackers to manipulate WooCommerce order statuses, either marking unpaid orders as paid, or failed."}, {"lang": "es", "value": "El plugin Rede Ita\u00fa para WooCommerce para WordPress es vulnerable a la manipulaci\u00f3n del estado de los pedidos debido a una verificaci\u00f3n insuficiente de la autenticidad de los datos en todas las versiones hasta e incluyendo la 5.1.2. Esto se debe a que el plugin no verifica la autenticidad de las devoluciones de llamada de pago. Esto hace posible que atacantes no autenticados manipulen los estados de los pedidos de WooCommerce, ya sea marcando pedidos no pagados como pagados, o fallidos."}], "id": "CVE-2026-0939", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-01-16T07:15:56.840", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/woo-rede/tags/5.1.2/Includes/LknIntegrationRedeForWoocommerceWcEndpoint.php#L45"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/woo-rede/tags/5.1.2/Includes/LknIntegrationRedeForWoocommerceWcEndpoint.php#L460"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/woo-rede/tags/5.1.2/Includes/LknIntegrationRedeForWoocommerceWcEndpoint.php#L710"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3441046/woo-rede/tags/5.1.3/Includes/LknIntegrationRedeForWoocommerceWcEndpoint.php"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/722c666b-913f-4289-82e6-30aa0a3abc2b?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-345"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-15T19:10:38.650518+00:00", "value": {"mitigation_remediation": ["Update the Rede Ita\u00fa plugin to version 5.1.3 or later to apply the vendor fix.", "Restrict access to the plugin\u2019s callback endpoint by configuring WordPress or the web server to accept requests only from known IP addresses or by using authentication tokens.", "Audit existing orders for inconsistencies and revert any status changes that were not authorized by legitimate payment confirmations."], "summary": {"action": "Apply Patch", "impact": "Unauthorized Order Status Manipulation"}, "threat_synthesis": {"affected_systems": "The affected software is the Rede Ita\u00fa for WooCommerce plugin for WordPress, versions up to and including 5.1.2. No other products or vendors are listed.", "description_and_impact": "The vulnerability resides in the Rede Ita\u00fa for WooCommerce plugin, where callbacks from the payment gateway are not authenticated. An attacker can send arbitrary requests to modify a WooCommerce order status, marking unpaid orders as paid or causing paid orders to appear failed. This compromises the integrity of the sales ledger and could lead to revenue loss or refunds.", "risk_and_exploitability": "The CVSS score of 5.3 indicates moderate severity, but the EPSS score of less than 1% shows low probability of exploitation. The vulnerability is not currently in the CISA KEV catalog. Attackers do not require authentication and can trigger the flaw by sending crafted callbacks to the plugin's endpoint, directly changing order states."}}}}, "created": "2026-01-16T13:41:33.336224+00:00", "updated": "2026-04-15T19:15:12.082204+00:00", "vendors": ["linknacional", "linknacional$PRODUCT$rede_itau_for_woocommerce", "woocommerce", "woocommerce$PRODUCT$woocommerce", "wordpress", "wordpress$PRODUCT$wordpress"]}